Your company uses Azure SQL Database with Microsoft Entra ID authentication. You need to ensure that only users from a specific Microsoft Entra ID tenant can access the database. What should you configure?
This allows all IPs but relies on Entra ID to validate the tenant.
Why this answer
Option C is correct because to restrict access to a specific Microsoft Entra ID tenant, you must first set the server-level firewall to allow all Azure IPs (0.0.0.0) so that Azure SQL Database can accept connections from any Azure resource, and then enforce tenant-level restrictions using a conditional access policy. This combination ensures that only users from the specified tenant can authenticate, while the firewall rule handles network-level access from Azure services.
Exam trap
The trap here is that candidates often think a conditional access policy alone can restrict tenant access, but it must be combined with the firewall rule '0.0.0.0' to allow Azure services, as the policy only controls authentication, not network connectivity.
How to eliminate wrong answers
Option A is wrong because a conditional access policy alone cannot restrict access to a specific tenant; it controls sign-in conditions (e.g., location, device) but does not filter by tenant ID. Option B is wrong because setting the server firewall to allow only the tenant's IP range is ineffective, as Microsoft Entra ID authentication relies on identity, not IP addresses, and tenant IP ranges are not static or reliably scoped. Option D is wrong because a network security group (NSG) operates at the virtual network level and cannot be applied to Azure SQL Database's public endpoint; it is used for PaaS resources within a VNet, not for restricting tenant access.